Cloudbleed Revealed Personal Information - And: What Is the Real Danger Behind a Service Like Cloudflare?

Cloudflare published a serious bug in its software that revealed user passwords, authentication tokens and cookies of millions
of websites. Tutanota was not affected as your secure mailbox does not use Cloudflare or any similar service. But if you
are using your Tutanota password for any other service (which you shouldn't!), change it right away.
It may be accessible
to whoever is looking for it somewhere on the internet.

Every browser could see private data

The so called Cloudbleed bug is much worse than its little brother called Heartbleed as it not
only affected millions of websites, in addition, it sent personal
information like login data (even for banking websites) as well as private chat sessions from dating websites to any other
browser accessing a website that uses Cloudflare.

It is possible that you have recently visited one of these websites thinking you were safe as the lock for the SSL-connection
was showing up green. But visiting these
sites was like going to a cash machine to withdraw money. Everything seemed normal, except that the machine would still
show all details of the previous
user including his PIN and a copy of the used card, making it possible for you to withdraw money from his account.
And it gets even worse: After you used this
machine, your information might be shown to the next customer and so on and so forth.

Search engines made sensible information easily accessible

This information exchange was hidden within the browsers so it hugely went unnoticed. However, it is very likely that it
was noticed by some. The traffic was cached automatically by search engines like
Google and Bing, which made it easily accessible to anybody who accidentally found out about the leak, thus knowing
what he was looking for. In addition, this information was visible to bots trawling the web so it might have already
fallen into the hands of people with bad intentions.

Google engineer Tavis Omady discovered the bug and it
was fixed as well as search engine data scrubbed manually within a couple of days. However as the bug was probably
active since September 2016, we advise you to change all passwords from affected websites. In addition if you are
using your Tutanota password for anything else, please change it as well, just to be sure.

What information was leaked through Cloudbleed?

According to the official statement of Cloudflare,
the problem was in the code of a new HTML parser, which suffered from a buffer overflow vulnerability triggered by
unbalanced HTML tags on pages. The biggest amount of leakage took place between February 13 and February 18, which
is also when Omady noticed the leakage.

Now imagine what malicious people with the leaked Cloudflare
information can do: They can monitor the data flows of these websites - user names, passwords, communications, cookies
and authentication tokens.

Why is it dangerous that Cloudflare has access to millions of SSL certificates?

Cloudflare is a service which protects websites from DDoS attacks. In order to be capable to protect HTTPS sessions,
Cloudflare pretends to need access to the private keys of the SSL certificates of the "protected" websites,
which by itself means that customers completely need to trust Cloudflare.

If you are wondering about the
relevance of SSL, here is a short video:

A SSL certificate gives you visual approval that you are currently viewing the
website you intended to visit, and that it is safe to enter payment details and passwords.

Private keys of SSL certificates must never be trusted to third party services

If an attacker had a private key of an SSL certificate at his disposal, he could duplicate a website, let's say, of your bank, and you wouldn't
even notice. He pretends that this is the original website, a classical Man-in-the-middle attack. Now you want
to transfer money online and go to your bank's website. You check whether the connection is secure, because you are a
prudent person. Everything seems to be alright, so you enter your credit card details and hit the send button.

And now?
Your payment details are sent directly to the attacker - you did not visit your bank's website as you thought, you have
just been to the malicious duplicate. Fortunately, this is not what happened with Cloudbleed, but this is exactly the
reason why we at Tutanota would never use Cloudflare or any similar service.

In a nutshell, the real danger of any service like Cloudflare is that they collect the private keys of millions of SSL certificates,
which makes them an extremely attractive target not only for attackers, but also for secret services.
With the private keys, the NSA would be able to decrypt everything - yes, every little bit of data you generated
through these affected websites.

Our advice to you

Change your passwords. The people in charge may communicate that the data has disappeared from the internet now,
but no-one knows who already had access to the data. For instance, no-one knows whether Omady was the first or the only one to
notice this data leakage.
Even if your information has not been leaked, it is always a good idea to change your passwords every once in a while.

Your secure mails in Tutanota are not affected

As Tutanota does not use Cloudlfare - we would never hand the private keys of our SSL certificates to anyone - you can be sure
that your secure mailbox is not affected.

In case you were using the same passwords for Tutanota and other services, please also change your Tutanota password. And
make it unique - plus write it down somewhere safe as we cannot reset it.

Although attackers may have recorded a lot of your online traffic, we have good news for you: Your data in Tutanota is encrypted.
Your Tutanota emails are not accessible to anyone apart from yourself.

Matthias is co-founder and developer of Tutanota. I write code to fight for our human right to privacy. I want to create a cloud service which is so easy to use and so secure that it locks out all the spies. We really deserve better.